cloudformation.yml

AWSTemplateFormatVersion: 2010-09-09

Parameters:

  HyP3URL:
    Type: String

  EDLUsername:
    Type: String

  EDLPassword:
    Type: String
    NoEcho: true

  EventManagerAccountIds:
    Type: CommaDelimitedList

Resources:
  LogBucket:
    Type: "AWS::S3::Bucket"
    Properties:
      PublicAccessBlockConfiguration:
        BlockPublicAcls: True
        IgnorePublicAcls: True
        BlockPublicPolicy: True
        RestrictPublicBuckets: True
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
            BucketKeyEnabled: true
      OwnershipControls:
        Rules:
          - ObjectOwnership: BucketOwnerEnforced

  LogBucketPolicy:
    Type: "AWS::S3::BucketPolicy"
    Properties:
      Bucket: !Ref LogBucket
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Action: "s3:PutObject"
            Effect: Allow
            Principal:
              Service: logging.s3.amazonaws.com
            Resource: !Sub "${LogBucket.Arn}/*"
            Condition:
              ArnLike:
                "aws:SourceArn": !GetAtt ProductBucket.Arn
              StringEquals:
                "aws:SourceAccount": !Sub "${AWS::AccountId}"

  ProductBucket:
    Type: AWS::S3::Bucket
    Properties:
      LoggingConfiguration:
        DestinationBucketName: !Ref LogBucket
        LogFilePrefix: s3-access-logs/product-bucket/
      LifecycleConfiguration:
        Rules:
          - Status: Enabled
            Transitions:
              - StorageClass: INTELLIGENT_TIERING
                TransitionDate: "2021-01-01T00:00:00.000Z"
          - Status: Enabled
            AbortIncompleteMultipartUpload:
              DaysAfterInitiation: 1
      MetricsConfigurations:
        - Id: EntireBucket
      PublicAccessBlockConfiguration:
        BlockPublicAcls: True
        IgnorePublicAcls: True
        BlockPublicPolicy: False
        RestrictPublicBuckets: False
      CorsConfiguration:
        CorsRules:
          - AllowedMethods:
              - GET
              - HEAD
            AllowedOrigins:
              - "*.asf.alaska.edu"
      OwnershipControls:
        Rules:
          - ObjectOwnership: BucketOwnerEnforced

  BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref ProductBucket
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal: "*"
            Action: s3:ListBucket
            Resource: !GetAtt ProductBucket.Arn
          - Effect: Allow
            Principal: "*"
            Action: s3:GetObject
            Resource: !Sub "${ProductBucket.Arn}/*"

  EventTable:
    Type: AWS::DynamoDB::Table
    Properties:
      BillingMode: PAY_PER_REQUEST
      KeySchema:
        - AttributeName: event_id
          KeyType: HASH
      AttributeDefinitions:
        - AttributeName: event_id
          AttributeType: S

  ProductTable:
    Type: AWS::DynamoDB::Table
    Properties:
      BillingMode: PAY_PER_REQUEST
      KeySchema:
        - AttributeName: event_id
          KeyType: HASH
        - AttributeName: product_id
          KeyType: RANGE
      GlobalSecondaryIndexes:
        - IndexName: status_code
          KeySchema:
            - AttributeName: status_code
              KeyType: HASH
            - AttributeName: processing_date
              KeyType: RANGE
          Projection:
            ProjectionType: ALL
      AttributeDefinitions:
        - AttributeName: event_id
          AttributeType: S
        - AttributeName: product_id
          AttributeType: S
        - AttributeName: status_code
          AttributeType: S
        - AttributeName: processing_date
          AttributeType: S

  FindNew:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: find_new/cloudformation.yml
      Parameters:
        HyP3URL: !Ref HyP3URL
        EventTable: !Ref EventTable
        ProductTable: !Ref ProductTable
        EDLUsername: !Ref EDLUsername
        EDLPassword: !Ref EDLPassword

  Api:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: api/cloudformation.yml
      Parameters:
        EventTable: !Ref EventTable
        ProductTable: !Ref ProductTable

  HarvestProducts:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: harvest_products/cloudformation.yml
      Parameters:
        ProductBucket: !Ref ProductBucket
        HyP3URL: !Ref HyP3URL
        ProductTable: !Ref ProductTable
        EDLUsername: !Ref EDLUsername
        EDLPassword: !Ref EDLPassword

  EventManagementRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          Action: sts:AssumeRole
          Principal:
            AWS: !Ref EventManagerAccountIds
          Effect: Allow
      Policies:
        - PolicyName: policy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - dynamodb:Scan
                  - dynamodb:Query
                  - dynamodb:GetItem
                  - dynamodb:PutItem
                  - dynamodb:UpdateItem
                  - dynamodb:DeleteItem
                Resource: !Sub "${EventTable.Arn}*"